[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [New maintainer] Working for Debian and becoming a registered Debian developer


Carl Mummert <mummert@cs.wcu.edu> writes:
> If a script kiddie is going to break into the system, is there some reason
> to believe that they would be unwilling to forge a birth certificate? 

I don't think a script kiddie is going to go to the trouble of (a)
forging documents, (b) waiting for new-maintainer processing, and (c)
bullshitting their way through a phone call just to screw over
Debian.  They'll just try to break into *.debian.org, probably fail,
and look for another target...

If someone is determined enough to screw us over that they are willing
to go through the application process to do it, then I doubt that even
requiring a face to face meeting will do much good.  Meeting a
developer in person is no guarantee that someone is honest, or who he
claims to be -- I suspect that most of us could easily miss a halfway
decent fake driver's license (available on college campuses everywhere
for a reasonable price) or birth certificate, or be talked out of
requiring one in the first place.

The only way mandatory key signatures would speed up the process would
be if they *replaced* the need for processing by the new-maintainer
team.  (Otherwise, they're just an added barrier to entry.)  My
opinion, though, is that doing so would lead to a false sense of
security, since it's harder to make 400+ diverse developers apply the
same standards than it is to do the same with a handful of hand-picked
new-maintainer processors.

> If each new developer were forced to have an old developer sign her pgp key,
> this would be an improvement over the current security system, and would
> also make it easier and faster to accept new developers.

On the contrary, I think it might actually have the long-term effect
of weakening Debian security, due to dilution of key-signing

Consider the case of a prospective Debian developer who does not have
physical contact with any other developer.  I'm guessing that this is
not at all uncommon -- after all, the world is a big place and we are
only a few hundred in number.  If the prospective member isn't lucky
enough to live in or near a city with a developer population already
(even if it's a population of one), doesn't have the travel budget to
go to conferences, etc., how are they supposed to join?

(Heck, I've been a member for over a year, and I still haven't met
another developer in person!  Remember, not all of us are rich, well
connected, able to travel, or living in areas with a technically
literate population.)

I submit that if a signed key is absolutely required, there will be
increased pressure for existing developers to sign keys for people
they have never met.  Doing that on more than a very occasional basis
would be a very bad idea...

> The fact remains that the debian policy is to discourage new developers
> by making it slow and difficult to get an account.

Requiring a developer's key signature would make it even slower and
more difficult, because it would impose a physical barrier.  As it is,
prospective developers who can have their keys signed, do.  The rest
of us can send documentation through the mail, which is a heck of a
lot easier and cheaper than travelling to another city (or country!)
to meet someone else in person.

Debian is a distributed project; imposing geographical barriers seems

- --Rob

p.s. any developers in the Columbus, Ohio area?  I'll be up there from
August 1 until just before ALS...

- -- 
Rob Tillotson  N9MTB  <robt@debian.org>

Version: 2.6.3a
Charset: noconv
Comment: Processed by Mailcrypt 3.5.1, an Emacs/PGP interface


Reply to: